Display a SecurityCenter status overview

[firebloodphoenix]

i had to dust of my account here,since its bin a wile since my last visit
i found this http://www.robvanderwoude.com/files/secstat_xp.txt
Is there something like it for windows 7?

i want to integrate it into my project
http://reboot.pro/files/file/118-infohack/

[aGerman]

First I corrected your link to Rob van der Woudes file.
I won't check your project, because I would have to register first.

However, the scipt seems to be applicable to Win7. Remove
VER | FIND "XP" >NUL || GOTO Syntax

Regards
aGerman

[firebloodphoenix]

The output is not correct:

Code: Select all

AntiVirus:
==========
Company Name       : 
Display Name       : 
On Access Scanning : Disabled
Product Up-to-date : No
Version Number     : 

Firewall:
=========
Company Name       : 
Display Name       : 
Enabled            : No
Version Number     : 

Windows Update:
===============
Last Reboot        : ~0,1-4-, ::

it dose not detect my ESET Antivirus
i don't care for the windows update information mush at this time

here is a other link to my project(uploaded just for you)
http://www.mediafire.com/?nls3v070g5346zp
please note that most of the components is made by nirsoft and may be picked up as a false positive virus upon execution
the password for the components.7z is "PASSWORD" if you want to check the md5 of the components
Please read the readme.txt before continuing
If you have tips for my project please share

[Squashman]

Did you read this on Rob's website.

Use WBEMTEST.EXE to find all properties for a specific AntiVirus or Firewall product.

[firebloodphoenix]

@ Squashman
All i want to know is if there is a antivirus installed
The name of the AV could be useful
I just thought that windows Action center might know this.
So is there a .vbs or .bat that can do this cus i can only find a script for XP

I don't want specific information about a specific AV rater a notification if a AV exists
I want to add it into my project to warn users that there AV might stop the NIRSOFT components from running

if you download my project you will see that i did something like that with the UAC if the script is run in spy-mode
I did Read Rob's website about the WBEMTEST.EXE but i have no idee how to use it
i have fond http://www.ks-soft.net/hostmon.eng/wmi/index.htm to explore the WMI but cannot find a reference to Action Center

[aGerman]

It seems the FirewallProduct class is not accessible on Win7, even not if I run the command as admin.
Unable to fix that. Perhaps they disabled it for security reasons.

Regards
aGerman

EDIT: I used a M$ script to figure out what happen. If I select the root\SecurityCenter namespace it tells me that it can't find any dynamic classes. I assume they removed it on Win7.

[firebloodphoenix]

I came up with this:

Code: Select all

WMIC.EXE /Node:"%userdomain%" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName^ /Format:List

it seems to do the trick
change AntiVirusProduct with FirewallProduct or AntispywareProduct(if installed)

[aGerman]

That's interesting.
You can also retrieve the productState. Unfortunately it's undocumented. See here to get an idea of how it is (probably) structured.
That script divides it into the 3 byte-values:

Code: Select all

@echo off &setlocal
for /f %%i in ('WMIC /NODE:"%userdomain%" /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct GET productState /FORMAT:List^|findstr "="') do set /a "%%i"
set productState
cmd /c exit %productState%
set /a "Byte1=0x%=ExitCode:~2,2% , Byte2=0x%=ExitCode:~4,2% , Byte3=0x%=ExitCode:~-2%"
set Byte
pause

Regards
aGerman

[firebloodphoenix]

@aGerman

I think i found a other way
http://msdn.microsoft.com/en-us/library ... 85%29.aspx
http://msdn.microsoft.com/en-us/library ... 85%29.aspx
But i have no idea how to implement it in batch (or even if its possible)
Do you know of a way?

[aGerman]

You can't implement that in a batch file. It's a WINAPI. You could write a tool in a programming language that supports API calls.

Heading straight forward with the link I gave to you.
Things of interest:
- 1st Byte

WSC_SECURITY_PROVIDER_ANTIVIRUS = 4

True if the third Bit = 1


- 2nd Byte

SCANNER_RUNNING = 16

True if the fifth Bit = 1


- 3rd Byte

0x10: too old! (or last update check was made ages ago)

Again true if the fifth Bit = 1


Try:

Code: Select all

@echo off &setlocal
for /f "delims=" %%i in ('WMIC /NODE:"%userdomain%" /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct GET displayName^,productState /FORMAT:List^|findstr "="') do set "%%i"
cmd /c exit %productState%
set /a "Byte1=0x%=ExitCode:~2,2% , Byte2=0x%=ExitCode:~4,2% , Byte3=0x%=ExitCode:~-2%"

echo(
echo Name:              %displayName%

set /a "flagAV=(Byte1>>2)%%2"
echo Antivirus:         %flagAV%

set /a "flagScan=(Byte2>>4)%%2"
echo Scanning enabled:  %flagScan%

set /a "flagOutOfDate=(Byte3>>4)%%2"
echo Out Of Date:       %flagOutOfDate%

echo ( 1=true, 0=false )

echo(
pause

Regards
aGerman

[firebloodphoenix]

Thanks i read your link that is where i got the API idea from:

michu wrote:
Here is the response of MS:
Read­ing directly from root­se­cu­ri­ty­cen­ter and rootsecuritycenter2 are not doc­u­mented or sup­ported inter­faces. As such, any­one who takes a depen­dency on them does so at their own risk. We do not share the prod­uct­State details out­side of Win­dows, even under NDA. Unfor­tu­nately, other than the WscGet­Se­cu­ri­tyProvider­Health inter­face, we don’t have a pub­lic inter­face to do what you are request­ing at this time.

So thanks A LOT for your script
Here Is one i made That shows some BIOS info:

Code: Select all

WMIC.EXE /Node:"%userdomain%" /Namespace:\\root\cimv2 Path Win32_BIOS Get Name^,Version^,Manufacturer^,SMBIOSBIOSVersion^ /Format:List